It was not so long ago, nine years to be precise, that hacking critical infrastructure for political or monetary gain was seen as a story fit only for Hollywood, but not anymore.
The 2007 film Live Free or Die Hard depicted a nightmare scenario where a cyber terrorist took control of America’s critical infrastructure and held the country to ransom. At the time many began to wonder if this was a real threat, but certain partners who deal in the space say the threat of such a scenario is more real now than ever.
Hivint is a Western Australian-based cyber security consulting partner working in the critical infrastructure space. The company’s clients are spread across the maritime, national security, energy, and mining sectors.
The firm’s principal consultant, Tom Jreige, said the company provides an independent view of the cyber security space for client organisations.
“Hollywood has a very bad habit of overcooking scenarios but the threat with critical infrastructure is there. You have systems which have been deployed for over 20 years that don’t meet today’s networking standards and don’t meet the security standards,” he warned.
Jreige said that when such systems were implemented, cyber security was not a consideration and to build a shell around these legacy environments is an arduous task.
“It is quite a critical topic now and people should be scared, especially those running the organisation if they are not being proactive."
Jreige explained the approach Hivint takes in dealing with these vulnerabilities is founded in risk assessment.
“Risk management is one of the key things and it has to be done properly to understand the context of the system.
“Once you have the correct context, then you are able to understand what are the current controls in place, if there are any, how to enhance them, how to provide new technology without disrupting the current service and providing a protection that is adequate for that environment.
“Monitoring and logging of events is one of the biggest things which can be done to give visibility to the environment,” he added.
The Bright Side
It is not all doom and gloom though. Security architects like Check Point’s Jeroen De Corel, specialise in critical infrastructure and told ARN that Australia was in better shape from a security standpoint than many countries in Europe.
“Australian companies are quite far ahead when it comes to proper segmentation of the network,” he said.
“When it comes to threat prevention on top of that, a lot of customers are aware of all the risks, and in most cases I am only making minor recommendations because they are well ahead of what's going on and on top of things.
“There are some minor things that require some modification and need improving, but in most cases I am very happy with what I am seeing over here.
De Corel said that while critical infrastructure is just one part of a specific network, segmentation is key to mitigating risk.
“In an ideal world it is completely separated from the IT network, not exactly air-gapped, some customers are talking about air-gapping it, but in most cases the IT network and the OT network need to talk to each other.
“There needs to be a link somehow, and what we are trying to do is secure that link and ensure there is no malware spreading from the IT network to the OT network.
“What we need to do in most cases is not just look at the IT or OT network, but have a holistic view so that if something bad happens in the IT network, the malware will not spread.
“A lot of [criminal] hackers know that to gain entrance to the network and get to the mellow insides, if segmentation is done poorly then, it is only a matter of time before the malware spreads to the OT network.
De Corel warned that while segmentation was not the silver bullet, it is a vital part of mitigating risk.
“If something bad happens and your network is properly compartmentalised, then it is easier to contain the risk. You can take action in a specific segment and try to remediate," he said.